Privacy & Information Security Law Blog

On October 24, 2012, the UK Justice Select Committee (the “Committee”), appointed by the House of Commons to examine the expenditure, administration and policy of the UK Ministry of Justice, published its opinion on the proposed General Data Protection Regulation (the “Proposed Regulation”) and proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”). In the opinion, the Committee agrees that new proposals are necessary, both to update the existing data protection framework and to “confer on individuals their new rights and freedoms.” The Committee expresses reservations, however, regarding a number of key issues, and concludes that the European Union data protection proposals “need to go back to the drawing board.” The Committee notes that in its present form, the Proposed Regulation will not produce a “proportionate, practicable, affordable or effective system of data protection in the EU.”

On October 26, 2012, following the Justice Council’s meeting, Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, delivered a speech highlighting that the Commission’s proposed data protection law reform package is currently at a crucial stage in the negotiation process. Commissioner Reding stated that “[a] high level of data protection will turn the European Union into an international standard setter” and that “[o]nly a high level of data protection will generate trust between citizens and private enterprises.” Commissioner Reding conceded, however, that “[w]e do not want rules that place an excessive burden on business,” and that the Commission is prepared to make certain concessions relating to the draft proposals in order to “strike the right balance.”

On October 23, 2012, just two weeks after issuing a series of reports highlighting the UK Information Commissioner’s Office’s (“ICO’s”) concerns regarding data protection compliance within the public sector, the ICO has imposed a monetary penalty of £120,000 and issued an enforcement notice against Stoke-on-Trent City Council (“Stoke Council”) in relation to a serious data breach. The breach involved the transmission of sensitive personal information related to a child protection case by email in an unmarked and unprotected manner to the incorrect email address.

On October 22, 2012, the Federal Trade Commission released a report entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies.” The report focuses on privacy concerns associated with facial recognition technology, which is becoming increasingly ubiquitous across a variety of commercial applications ranging from search engines to video games to password authentication.

On October 24, 2012, Peter Hustinx, the European Data Protection Supervisor, speaking at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay, called the proposed EU Data Protection Regulation an “ambitious” undertaking, designed to achieve three goals.

First, Hustinx said the regulation is intended to provide the structure for European data protection for at least the next 20 years.

Second, the draft regulation will eliminate the wide variety of requirements that has resulted from the current EU Data Protection Directive’s being transposed into national law in 27 member states.

On October 22, 2012, the Federal Trade Commission announced a proposed settlement agreement with Compete, Inc. (“Compete”), an online market research company that collects clickstream data from consumers to generate and sell analytical reports about consumer behavior on the Internet.

This year, the International Conference of Data Protection and Privacy Commissioners takes place in Punta del Este, Uruguay. On October 22, 2012, Article 29 Working Party President Jacob Kohnstamm kicked off the conference with the Public Voice session, sending a clear message that the Article 29 Working Party will resist EU data protection reform proposals involving the use of consent and legitimate business interests as legal bases for data processing.

Governance for next generation data applications increasingly will depend less on individual consent, and more on ...

In the opening session of the 34th International Conference of Data Protection and Privacy Commissioners, Conference Executive Committee Chair and Article 29 Working Party President Jacob Kohnstamm introduced this year’s conference. He noted that the topic of this year’s closed session will be profiling. Kohnstamm also indicated that future DPA conferences would focus on the closed session, which typically is comprised of current and former data protection authorities. Among the speakers in the 2012 closed session is Professor Fred H. Cate, Senior Policy Advisor for the Centre for Information Policy Leadership at Hunton & Williams LLP.

On October 17, 2012, Colombia enacted a new omnibus data protection law known as Ley 1581 del 17 de octubre de 2012 por el cual se dictan disposiciones generales para la protección de datos personales. The law contains significant notice and consent requirements, special provisions for the processing of children’s data, European-style data subject rights (e.g., access and correction), special obligations applicable specifically and directly to service providers, a registration requirement and cross-border data transfer restrictions. The law also provides for the ...

On October 15, 2012, Privacy Commissioner of Canada Jennifer Stoddart and the Federal Commissioner for Data Protection and Freedom of Information in Germany, Peter Schaar, signed an agreement to increase intra-authority collaboration between their organizations. The agreement covers the exchange of information between the two data protection authorities, for example by informing each other of pending complaints. Notably, the agreement also addresses coordination between the DPAs with respect to their supervision of international data processing activities.